With the maturity of 3G networks and the improvement of mobile terminals on performance, it is possible to perform real time data service with the mobile terminals. For example, users can watch the mobile TV through the mobile TV client, and demand the audio/video programs or watch the audio/video live programs through the mobile stream media client. The development of the real time data service will effectively improve the mobile phone user experience of 3G, and the operations based on the real time data service will become the hotspot and focus of the 3 G operators.
The real time data service comprises: mobile TV, video on demand, live video and the like. After the deployment of the real time data service server in the wireless local area networks (WLAN), users can access the real time data service server through a real time data service client on the mobile terminal to obtain the real time service data stream, and experience the real time data service, such as browsing of the mobile TV programs, video on demand and live video.
Due to the low security of the WLAN, to protect the legal mobile terminals to use the real time data service in security and with high quality and prevent the illegal mobile terminals from accessing the real time data service server, the security of real time data service must be improved by adopting some WLAN authentication and protection protocol. Indeed, the WLAN authentication and privacy infrastructure (WAPI) protocol is the optimum choice.
The WAPI aiming at the security issue of the wired equivalent privacy (WEP) and other protocols in IEEE802.11 is a WLAN security solution provided in the China WLAN National Standard GB15629.11 after repeated argumentation by multiple parties and adequate consideration of various application modes.
In WAPI protocol, access authentication of mobile terminals and negotiation of keys are preformed mainly through the process of authentication and key management provided in WLAN authentication infrastructure (WAI) protocol, and encrypted transmission of data in the media access control (MAC) layer is completed through the process of encryption and decryption provided in WLAN privacy infrastructure (WPI) protocol, so as to guarantee that the legal mobile terminals securely access to the real time data service server.
There are two ways of authentication and key management provided in WAI protocol:
(1) Authentication and key management mode based on certificate,
wherein a WLAN mobile terminal (usually called mobile terminal for short) and an access point (AP) exchange their WAPI certificates, authenticate the certificates by an authentication server, and negotiate a base key (BK) during the process of certificate is authentication; after the negotiation of the base key, the mobile terminal and the AP perform negotiation of a session key by using the negotiated base key, to obtain the session key, such as a unicast session key, a multicast key and the like; and
(2) Authentication and key management mode based on pre-shared key,
wherein the mobile terminal and the AP export the base key by using the same pre-share key (PSK) respectively, and perform negotiation of a session key by using the exported base key, to obtain the session key, such as a unicast session key a multicast key and the like.
Any one of the two ways above can be used in the real time data service system supporting the WLAN as an access network. The authentication and key management mode based on certificate has higher security, but is more complex in process; the AP of the real time data service system needs to generate a base key for each accessed mobile terminal by adopting the elliptic curve key mechanism Diffie-Hellman (ECDH) exchange algorithm, resulting in great amount of calculation. The authentication and key management mode based on pre-shared key has lower security, but is simple in process; a same pre-shared key (i.e., a same base key) can be used by multiple mobile terminals, thereby the amount of calculation of generating the base key and the management cost is reduced.
FIG. 1 shows a flowchart of a method for implementing the real time data service by adopting the way of authentication and key management based on pre-shared key in the prior art, the method comprising:
101: A mobile terminal and an access point (AP) of a real time data service system export a base key (BK) by using a pre-shared key.
102: The mobile terminal and the AP complete negotiation of a session key by using the base key to obtain the session key therebetween, such as a unicast session key, a multicast session key and the like.
On the completion of authentication and negotiation of session key according to the WAI protocol, the AP opens a control port to allow the interaction between the mobile terminal and a real time data service server of the real time data service system.
103: The mobile terminal interacts with the real time data service server to is complete the transmission of a real time data service control signalling;
in this process, control signalling messages are encrypted transmitted between the mobile terminal and the AP by using the unicast session key obtained through negotiation in Step 102, and transmitted by plaintext or other secure ways between the AP and the real time data service server due to relatively secure communication link therebetween.
Wherein, the main functions of the control signalling comprise: negotiating parameters of the real time data service, setting up an audio/video transmission channel, starting/controlling the transmission of audio/video data of the real time data service, etc., for example,
103a: The mobile terminal sends a describe request signalling to the real time data service server through the AP, to send the media parameters supported by the mobile terminal to the real time data service server; the real time data service server sends a describe response to the mobile terminal through the AP, to send the media parameters selected by the real time data service server to the mobile terminal; and through the signalling interactions above, the mobile terminal and the real time data service server complete the negotiation of the real time data service media parameters.
103b: The mobile terminal sends an audio/video transmission channel setup request signalling to the real time data service server through the AP; the real time data service server sends an audio/video transmission channel setup response signalling to the mobile terminal through the AP; and through the signalling interactions above, an audio/video transmission channel is set up between the mobile terminal and real time data service server.
103c: The mobile terminal sends an audio/video data play control signalling, such as Play, Pause, Stop and the like, to the real time data service server through the AP, to play, pause and stop the transmission of the audio/video data.
104: The real time data service server sends the audio/video data to the mobile terminal through the AP.
Also, in this process, the audio/video data messages can be transmitted by plaintext or other secure ways between the AP and the real time data service server, but encrypted transmitted between the AP and the mobile terminal by the unicast session key or the multicast key obtained through negotiation in Step 102.
It should be noted that, in the process of transmitting the audio/video data messages from the real time data service server to the mobile terminal, the control signalling messages can be transmitted at any time between the real time data service server and the mobile terminal, but the audio/video data and the control signalling are not transmitted in the same messages, i.e., the audio/video data and the control signalling are transmitted in different logic channels.
It can be seen from the description above that it is able to avoid the interaction process between the AP and the authentication server, reduce the amount of calculation of the AP and increase the possible quantity of mobile terminals that can simultaneously accessing the AP by adopting the way of WAI authentication and key management based on pre-shared key in the real time data service system. In addition, real time data service operators can provide multiple signed users with the same pre-shared key by using which the users (the mobile terminals) can access the real time data service system for previewing of the real time data service.
However, the method above has the following defects:
1) the base key exported by the pre-shared key has low security; after the pre-shared key is leaked out, an illegal user can negotiate with the AP for the session key by using a base key corresponding to the pre-shared key to access the real time data service system; and
2) incapable of charging so that only free preview programs can be provided to the uses because it is unnecessary to provide the real time data service system with the WAPI certificate of mobile terminal in the way of authentication and key management based on pre-shared key; the users can receive the charging service data only after re-accessing the real time data service system by adopting the way of authentication and key management based on certificate.